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Abstract — We consider a group of m + 1 trusted nodes that aim 
to create a shared secret key /C over a network in the presence 
of a passive eavesdropper, Eve. We assume a linear non-coherent 
network coding broadcast channel (over a finite field ¥ q ) from 
one of the honest nodes (i.e., Alice) to the rest of them including 
Eve. All of the trusted nodes can also discuss over a cost-free 
public channel which is also overheard by Eve. 

For this setup, we propose upper and lower bounds for the 
secret key generation capacity assuming that the field size q 
is very large. For the case of two trusted terminals (m = 1) 
our upper and lower bounds match and we have complete 
characterization for the secrecy capacity in the large field size 
regime. 

I. Introduction 

For communication over a network performing linear net- 
work coding, Cai and Yeung JTj introduced the problem of 
securing a multicast transmission against an eavesdropper. In 
particular, consider a network implementing linear network 
coding over a finite field ¥ g . Let us assume that the min- 
cut value from the source to each receiver is c. From the 
main theorem of network coding J2], J5] we know that a 
source can send information at rate equal to the min-cut c 
to the destinations, in the absence of any malicious eaves- 
dropper. Now, suppose there is a passive eavesdropper, Eve, 
who overhears p arbitrary edges in the network. The secure 
network coding problem is to design a coding scheme such 
that Eve does not obtain any information about the messages 
transmitted from the source to destinations. Cai and Yeung [fl] 
showed that the secrecy capacity for this problem is c — p and 
can be achieved if the field size q is sufficiently large. Later 
this problem formulation has been investigated in many other 
works. Feldman et al. JD showed that by sacrificing a small 
amount of rate, one might find a secure scheme that requires 
much smaller field size. Rouayheb et al. O observed that this 
problem can be considered as a generalization of the Ozarow- 
Wyner wiretap channel of type II. Silva et al. proposed 
a universal coding scheme that only employs encoding at the 
source. 

In contrast to the previous work, in this paper we study 
the problem of secret key sharing among multiple terminals 
when nodes can send feedback over a public channel. We 
consider a source multicasting information over a network 
at rate equal to the min-cut c to the destinations. We also 
assume that the relay nodes in the network perform linear 



randomized network coding which is modeled by a non- 
coherent transmission scheme. Motivated by 0, JS], we model 
a non-coherent network coding scenario by a multiplicative 
matrix channel over a finite field ¥ q with uniform and i.i.d. 
distribution over transfer matrices in every time-slot. 

The problem of key agreement between a set of terminals 
with access to noisy broadcast channel and public discussion 
channel (visible to the eavesdropper) was studied in Q, where 
some achievable secrecy rates were established, assuming Eve 
does not have access to the noisy broadcast transmissions. This 
was generalized in ITOl . ifTTI by developing (non-computable) 
outer bounds for secrecy rates. However, to the best of our 
knowledge, ours is the first work to consider multi-terminal 
secret key agreement over networks employing randomized 
network coding, when a passive eavesdropper has access to 
the broadcast transmissions. 

Our contributions in this paper are as follows. For the 
secret key sharing problem introduced above, we propose an 
asymptotic achievability scheme assuming that the field size q 
is large. This scheme is based on subspace coding and can be 
extended for arbitrary number of terminals. Using the result 
of ||9), we derive an upper bound for this problem. For m = 1, 
the proposed lower bound matches the upper bound and the 
secret key generation capacity is characterized. However, for 
m > 2, depending on the channel parameters, the upper and 
lower bound might match or not. 

The paper is organized as follows. In Ejll] we introduce 
our notation and the problem formulation and present some 
preliminaries. In ^TTTJ we state a general upper bound for the 
key generation capacity and evaluate it for the non-coherent 
network coding broadcast channel. The main results of the 
paper are presented in ijlVI 



II. Notation and Setup 



A. Notation 



We use (X) to denote the row span of a matrix X. We use 
also [i : j] to denote + 1, . . . , j} where i,j 6 Z. 

Let n be an arbitrary vector space of finite dimension 
defined over a finite field ¥ q . Suppose Hi and H2 are two 
subspaces of n, i.e., Iii CI] and H2 C n. We use Hi to 
denote the common subspaces of both Hi and H2 and ni 
as the smallest subspace that contains both Hi and 112- Two 
subspaces Hi and YL2 are called orthogonal if Hi = {0}. 



Two subspaces III and II2 of II are called complementary if 
they are orthogonal and 111 + II2 = II. 

Now, consider two subspaces ITi and IT2. We define the 
subtraction of II2 from ITi by U = II 1 \ s II2 where U is any 
subspace of III which is complementary with 111 n II2- Note 
that, given 111 and II2, U is not uniquely defined. 

For notational convenience, when J is a set, by II j we 
mean Uj = n ie j-Hi. 

B. Preliminaries 

Definition 1. We define S(l, k) to be the set of all subspaces 
of dimension at most k in the (.-dimensional space ¥ q . 

Definition 2 (see Q). We denote by £(n, d) the number of 
different n x I matrices with elements from a finite field ¥ q , 
such that their rows span a specific subspace 114 E ^ q of 
dimension d where < d < min[n, £]. By using ^7] Lemma 2], 
£(n, d) does not depend on I and depends on ixd only through 
its dimension d. 

Lemma 1. Suppose that k subspaces LTi , . - - , life, with di- 
mensions d\ , . . . , dk, are chosen uniformly at random from 
F™. Then w.h.p. (with high probability]^ we have 

dim (ITi + • • • + life) = min [d± + • • ■ + dk, n] , and 
dim (III n • • • fl life) = [d\ H h d k - {k - l)n} + . 

Note that even if one of the subspaces, for example H\, is a 
fixed subspace, then the above results are still valid. 



Proof: These results follow from IU21 Corollary 1] by 
using induction on the number of subspaces. ■ 

C. Problem Statement 

We consider a set of m + 1 > 2 honest nodes, To, ... , T m , 
(T stands for "terminal") that aim to share a secret key K. 
among themselves while keeping it concealed from a passive 
adversary, Eve. Eve does not perform any transmissions, but is 
trying to eavesdrop on (overhear) the communications between 
the honest nodes. For convenience, sometimes we will refer to 
node To, Ti, T2, . . . , as "Alice," "Bob," "Calvin," and so on. 

We assume that there exists a non-coherent network coding 
broadcast channel (which is going to be defined more precisely 
in the following) from Alice to the other terminals (including 
Eve). Also we assume that the legitimate terminals can pub- 
licly discuss over a noiseless rate unlimited public channel. 

Consider a non-coherent linear network coding communi- 
cation scenario where at every time-slot t Alice (terminal To) 
injects a set of nj\ vectors (packets) of length I (over some 
finite field F„) into the network, denoted by the row vectors 
of the matrix X^t] £ ¥ q Axe . Each terminal T,; receives 
rii randomly chosen linear combinations of the transmitted 
vectors, namely for r £ {1, . . . , m, E}, we hav^| 



X r [t] = F r [t]X A [t] 



(1) 



1 During the paper by "high probability" we mean probability of order 1 — 
0(q~ 1 ) unless otherwise stated. 

2 As subscript, we use i to denote for T; for all i 6 [0 : m]. At some 
points, we also use X^, Xg, Xq, etc., to denote for Jfo, X\, X2, etc. 



where F r [t] £ Fg rX " A is chosen uniformly at random among 
all possible matrices and independently for each receiver and 
every time-slot. So for the channel transition probability we 
can write 



P 



x 1 ---x m x E \x, 



A (xi , . . . , X m: X£ |xa) 



P X E \X A ( x E\ x *)n P X z \xA x *\ x /\)> 



(2) 



where for each r £ {1, . . . , m, E} we have (see j7] Sec IV- A]) 

p , frp \rp*\ — f <T"" dim ^ if (X r ) E {XA} , 

P Xr \x A (Xr\xA) - j Q otherwise. 

Note that in this setup we do not assume any CS^] at the 
transmitter or receivers. 

In order to define the secrecy capacity, we use iTTJI Defini- 
tion 1] and Q3] Definition 2] (see also El, Q5), 0, ifTTI V 

III. Upper Bound 

A. Secrecy Upper Bound for Independent Broadcast Channels 

The secret key generation capacity among multiple termi- 
nals (without eavesdropper having access to the broadcast 
channel) is completely characterized in |9||. By using this 
result, it is possible to state an upper bound for the secrecy 
capacity of the key generation problem among multiple termi- 
nals where the eavesdropper has also access to the broadcast 
channel. This can be done by adding a dummy terminal to the 
first problem and giving all the eavesdropper's information to 
this dummy node and let it to participate in the key generation 
protocol. By doing so, the secret key generation rate does 
not decrease. Hence by combining J9] Theorem 4.1] and J5] 
Lemma 5.1], the following result can be stated. 

Theorem 1. The secret key generation capacity is upper 
bounded as follows 

C a < 



max mm 

Px A6A([0:m]) 



H(X[ 0:m ] \Xe) 



\bH(Xb\X B c,Xe) 

BC[0:m] 



where A([0 : m]) is the set of all collections X = 
{\ B : B C [0 : to], B ^ 0} of weights < \ B < 1, satisfying 



BC[0:m],i£B 



Vi £ [0 : to]. 



Note that in the above expression for the upper bound, it is 
possible to change the order of maximization and minimization 
IM Theorem 4.1]. 

Now, for our problem where the channel from Alice to the 
other terminals are assumed to be independent, we can further 
simplify the upper bound given in Theorem [TJ as stated in 
Corollary Q] 

Corollary 1. If the channels from Alice to the other terminals 
are independent, as described in (O, then the upper bound 

3 Channel state information. 



stated in Theorem [7J for the secret key generation capacity is 
simplified to 



C s < max min I(Xq; Xj\Xt) 

Px j£[l:m] 

< min max/(Xo; Xj |Xe). 

je[l:m] Px 



(3) 
(4) 



Proof: For the proof please refer to lfi"6l . ■ 
Remark: Note that (01 is the best upper bound one might hope 
for an independent broadcast channel using results of []9]- 
Remark: Using |[T4l Theorem 7] or |fT51 Theorem 2], we 
observe that the bound given in © is indeed tight for the 
two terminals problem where we have the Markov chains 
Xb <-» X A O Xe (when the channels are independent) or 
X A o Xq O Xe (when the channels are degraded). 

B. Upper Bound for Non-coherent Channel 

In the previous section, we have shown that the secret key 
generation rate for our problem can be upper bounded by (3}. 
Now, we need to evaluate the above upper bound for the non- 
coherent network coding channel defined in iffl-CI 

Lemma 2. For the joint distribution of the form 

Px„XiX E {x k ,Xi,X^) = Px A (x A )P Xi \X A {Xi\x A )P X{ :\X A {xii\x A ) 

the mutual information I(X A ; X^Xe) is a concave function 
of P Xa {x a ) for fixed P Xl \x A (xi\x A ) and P Xe \x a (xe\x A ). 

Proof: For the proof please refer to lfl"6l . ■ 
Similar to J7] Definition 5], here we define an equivalent 
subspace broadcast channel from Alice (terminal To) to the 
rest of terminals as follows. We assume that Alice sends a 
subspace IIa £ S(£,n A ) where ITa = (X A ) and each of the 
legitimate terminals receives II,; £ S(£,rii) and Eve receives 
ITe £ S(£, tie) where IT; = (X;) and IIe = (Xe), respectively. 
The channel transition probabilities are independent and for 
each receiver i is defined as follows 

p f | v A / ^(n^dim^))^""^ 1 " 1 ^) ifTT.CTTA, 

JW**I*a) = ( V otherwise, 
where the function £ is defined in Definition [2] 

Lemma 3. For every input distribution P Xa there exists an in- 
put distribution Pjj a such that I(X A ; X^Xe) = /(IIa; HIIIe) 
and vice-versa. 



Proof: For the proof please refer to flT61 . ■ 
So by Lemma |3] in order to maximize I(X A ; X^Xe) with 
respect to Px A it is sufficient to solve an equivalent problem, 
i.e., maximize /(IL^ILJIIe) with respect to Pu A \ which is 
seemingly a simpler optimization problem. 

Lemma 4. The input distribution that maximizes 
7(IL\; HIIIe) is the one which is uniform over all subspaces 
having the same dimension. 

Proof: By the concavity of /(LTa; TI^ |TIe) with respect 
to Pn A , that is stated in Lemma the proof follows by an 
argument very similar to fl7] Lemma 8]. ■ 



Lemma 5. Asymptotically in the field size, we have 
maxI(X A ;X l \XE) = max /(ITa; IL|n E ) = 

(min[?M, rn + tie] — tie) (I - min[nA, n 8 + tie]) log q. 

Proof: For the proof refer to lTT6l . ■ 
Thus, by using the upper bound given in (0]i and Lemma 
we have the following result for the upper bound on the secret 
key generation rate, as stated in Theorem 

Theorem 2. The secret key generation rate in a non-coherent 
network coding scenario, which is defined in mi-C\ is asymp- 
totically (in the field size) upper bounded by 

C s < 

min f (min[n A , rn + n E ] - n E ) U — min[n A , rn + n E l) 1 log q. 

ie[l:m] 

Remark: Note that if ue = n A then the secret key generation 
rate is zero because Eve is so powerful that she overhears all 
of the transmitted information. 

IV. Asymptotic Achievability Scheme 

Here in this section, we describe our achievability scheme 
for the secret key sharing problem among multiple terminals 
in a non-coherent network coding setup. 

Without loss of generality, let us assume thafl n A < t. 
Moreover, in this work we focus on the asymptotic regime 
where the field size is large. Suppose that Alice broadcasts a 
message X A [t] at time-slot t of the following form 



X A \t] = [ 7„ A> 



M[t] 



(5) 



where M[t] £ F, 



n A x(t-n A ) 



is a uniformly at random distributed 



matrix. The rest of legitimate terminals and Eve receive a 
linear transformed version of X A [t] according to the channel 
introduced in (HJ. 

For each terminal r £ {A, 1, . . . , m, E}, we define the 
subspace II r = (X r ). Then, for every r ^ A we have 
n r E rL\. Because of ©, after broadcasting Xa[£], the 
legitimate terminals learn the channel state and reveal the 
channel transfer matrices F r [t], r £ [1 : m], publicly over 
the public channel. Thus Alice can also recover the subspaces 
n r for all of the legitimate terminals. 

Now, for each non-empty subset J C [1 : m] of legitimate 
receivers, let us define the subspace Uj as follows 



U J = \ s £ n 



ij 



n 



EJ 



(6) 



where lij = n^jn,, Tl tJ = n, n Ilj, and IL E j = U E D 
Uj. By definition, Uj is the common subspace among the 
receivers in J which is orthogonal to all of the subspaces of 
other terminals, i.e., it is orthogonal to LL,, i £ J c , and IIe (see 
also Fig. [T]). Note that the subspaces Uj's are not uniquely 
defined. However, from the definition of the operator "\ s ", it 

If n A > t th en Alice can reduce the number of injected packets into the 
network from n A to some smaller number n'^ where re, < £■ 



can be easily shown that the dimension of each Uj is uniquely 
determined and equal to 

dim(E^) = dim(nj) - dim ( £ IT, j + H EJ J . (7) 

If Alice had the subspace IIe observed by Eve, she would 
be able to construct subspaces U j's; but she does not have ITe- 
However, because the subspaces II; 's and IIe are chosen inde- 
pendently and uniformly at random from IIa, and because the 
field size q is large, Alice, by applying LemmaQ] can find the 
dimension of each U j w.h.p. Then it can be easily observed 
that (e.g., see |[T2l Lemma 3]) if Alice chooses a uniformly 
at random subspace of Uj with dimension dim(Uj) then it 
satisfies © w.h.p., so it can be a possible candidate for U j. 

Now, consider 2 m — 1 different non-empty subsets of [1 : m]. 
To each subset ^ J C [1 : m], we assign a parameter 
6j > such that the following set of inequalities hold, 

0Ji + • • • + Jk < dim (Uj, + ■ ■ ■ + U Jk + n E ) - dim(n E ), (8) 

for any k S [1 : 2^ m ~^ - 1] and any different selection 
of subsets J\, . ■ . , Jk- Note that the right hand side of the 
inequalities defined in © depend on the actual choice of 
subspaces U j's. But, as described above, in the following we 
assume that U j's are chosen uniformly at random from IIj-. 

If Alice knows the subspace IIe, then we can state the 
following result. 

Lemma 6. There exists subspaces U'j C Uj such that 
A\m{U'j) = 9j for all ^ J C [1 : m], and U'j's and 
ITe ore orthogonal subspaces (i.e., dim(IlE + Y]^ U'j. ) = 
dim(IlE) + J2i®Ji) tf an d only if Qj's are non-negative 
integers and satisfy (0. 

Proof: The proof of this lemma is based on ifTTl 
Lemma 4] and can be found in lfl6l . ■ 
FigOJ depicts pictorially the relation between subspaces 
introduced in the above discussions. 




Fig. 1. The relations between subspaces IPs, U's, and U''s for the case of 
m = 2. 

Although in practice Alice only knows the dimension of IIe 
(w.h.p.), but still she can find subspaces U'j C Uj such that 
the result of Lemma [6] holds w.h.p., as stated in Lemma [7J 

Lemma 7. Alice can find subspaces U'j C Uj such that 
dim(^) = 6j for all ^ J C [1 : m], and U'j's 
are orthogonal subspaces and U'j's and IIe care orthogonal 



subspaces w.h.p., if and only ifOj's are non-negative integers 
and satisfy ([8}. 

Proof: For the proof refer to |TT6) . ■ 
Then, we have the following result. 

Theorem 3. The secret key sharing rate given by the solution 
of the following convex optimization problem can be asymp- 
totically (in the field size) achieved 

maximize [miiv e[1 . m ] j 3r 6j] ~ "a) log q 
subject to 6j>0, VJ C [1 : m], J ^ 0, and 

9j 1 + ... + e Jk < 

dim (Uj, + ■ ■ ■ + U Jh + He) - dim(n E ) 
Vfc, VJ!,...,J k : 0^ Ji C [l:m], 
Ji ^ Jj if * ^ j, 

where for every J , U j is chosen uniformly at random from 
Uj with the dimension calculated by (0) under the assumption 
that IIi,...,II m , and He are selected independently and 
uniformly at random from IIa with dimensions rii, . . . , n m , tie- 

Proof of Theorem^ Let Alice use the broadcast channel 
N times by sending matrices Xa[1], ■ ■ • ,X&[N] of the form 
(0. As mentioned before, in every time-slot t, each of the 
legitimate terminals sends publicly the channel transfer matrix 
it has received. 

Then, let us define 6j= [NO j\ for all J and consider the 
following set of inequalities 

hi + +ATdim(n E ) < 

(JV N N \ 

®^W + --- + 0^M + 0n E M J, (9) 

where "0" is the direct sum operator. Each of Uj i = 
©|=i ^ Ji M ' s a subspace of an iV x n& dimensional space 
(D t=1 IlA[i]. Similarly, we have IIe E ®t=i where 
IIe — ©t = iIlE[i]- It can be easily seen that if the set of 
inequalities ([8]l are satisfied then the set of inequalities (O are 
also satisfied. 

Now, by using Lemma [7] Alice can find a set of orthogonal 
subspaces U'j with dimension 6j (that are also orthogonal 
to IIe w.h.p.). By applying Lemma [8] (appeared after this 
theorem), one would observe that if Alice uses a basis of U'j 
(8j linear independent vectors from U'j) to share a secret 
key AC j with all terminals in J ', then this key is secure from 
Eve and all other legitimate terminals in J c w.h.p. Using each 
key Kj, Alice can send a message of size 9j(£ — n&) \ogq 
secretly to the terminals in J . In order to share the key JCj, 
Alice sends publicly a set of coefficients for each terminal 
in J so that each of them can construct the subspace U j 
from their own received subspace. Note that even having these 
coefficients, Eve cannot recover any information regarding JC j 
(for more discussion see ifLTI ). 

Up until now, the problem of sharing a key JC among 
legitimate terminals have been reduced to a multicast problem 
where Alice would like to transmit a message (i.e., the shared 
key JC) to a set of terminal where the rth one has a min-cut 



J2jBr ®J- F rom the main theorem of network coding (e.g., see 
12, El, llT8l . IHl), we know that this problem can be solved 
by performing linear network coding where the achievable rate 
is as follows 



where the sufficiency of optimization over subspaces follows 
from a similar argument to |7J Theorem 1]. Similar to the 
proof of Lemma [5] one can show that 



R, < 



— mm 9 j 

N r€[l:m] ^ 



{I - n A ) log q. 



By increasing N, the achievable secrecy rate will be arbitrarily 
close to R s < [min re [ 1:m ] J2j3r@j] ~ "Apogg, and we 
are done. ■ 

Lemma 8. Consider a set of n A packets denoted by the rows 
of a matrix X A £ F^ A x ^ of the form X A = [I M], where 

M ~ Uni LFg AX ^ ™ a '^. Assume that Eve has overheard n E 
independent linear combinations of these packets, represented 
by the rows of a matrix X E £ F™ E>< ^. Then for every k packets 
yi, . . . that are linear combinations of the rows of X A , if 
the subspace fly = (yi, • • • , t/fc) is orthogonal to {X E ) we 
have I(y 1 ,...,y k ;X E ) = 0. 

Proof: The proof is stated in [16, Appendix B]. ■ 

A. Special Case: Achievability Scheme for Two Terminals 

For simplicity and without loss of generality we assume 
that ?i B < n A and n E < n A . The key generation scheme starts 
by Alice broadcasting a message X A [t] at time t of the form 
of 10. Then, Theorem [3] states that the secrecy rate R s is 
achievable if 

R s < [dim([/ B + II E ) - dim(n E )] (£ - n A ) \ogq, 

where Ub = n B \ s IIe (for convenience we have replaced 
C/{b} with Ub)- Because Ub fl IIe = {0}, we have 

R s < [dim([/ B )] {£-n A )logq 

= [dim(n B ) - dim(n B D H E )] {t - n A ) logg 
= [n B - (n B + n E - n A ) + ] (£ - n A ) log q 
= [min[n A , n B + n E ] - n E ] (£ - n A ) logq, 

where this is the same as the upper bound given in Theorem |2] 
This is obvious when n A < ?i B + n E . On the other hand, if 
n A > n B + n E , then Alice can reduce the number of injected 
packets in every time-slot from n A to n B + n E (there is no 
need to use more than n B + n E degrees of freedom). 
Remark: Note that in the above scheme, as long as n E < n A , 
the secrecy rate is non-zero. 

Now, we compare the derived secrecy rate with the case 
where no feedback is allowed. First let us assume that n B > 
n E . Then, in the non-coherent network coding scenario intro- 
duced in £|II-CI it can be easily verified that the channel from 
Alice to Eve is a stochastically degraded (for the definition 
refer to ll20l p. 373]) version of the channel from Alice to Bob. 

So by applying the result of ||2T1 or El Theorem 3], for 
the secret key sharing capacity we can write 

C s = max [J(X A ; Xb) - I(X A ; X E )] 

= max[/(n A ;n B )-/(n A ;n E )], 

ft. 



c s 



[n B - n E } + (£ - n B )logg, 



which is positive only if n B > n E . ■ 
The above comparison demonstrates the amount of improve- 
ment of the secret key generation rate we might gain by using 
feedback. 

B. Special Case: Achievability Scheme for Three Terminals 

As an another example, here we consider the three trusted 
terminals problem (i.e., m = 2). As before, we assume that 
n A < £ and for the convenience we suppose that n B = nc < 
n A and n E < n A . 

In order to characterize the achievable secrecy rate, we need 
to find the dimension of subspaces Ub, Uq, and U B c and their 
sums (including IIe as well). We assume that the field size 
q is large and we know that II B , lie, and IIe are chosen 
uniformly at random from II A . Subspaces II B c and II B e are 
also distributed independently and uniformly at random in II B . 
Similarly, the same is true for II B c and IIce in lie- We have 

u B = n B \ s (n BC + n BE ) 
u c = n c \ s (n BC + n CE ) 
u B c = n BC \ s (II B ce), 

so we can write 

dim(t/ B ) = dim(n B ) - dim(n B c + n BE ) 

= dim(Il B ) — min [dim(II B c) + dim(II B E), dim(II B )] 
= n B — min [dim(n BC ) + dim(n BE ), n B ] 
= [n B - dim(n BC ) - dim(II BE )] + 

= [n B - (2n B - n A ) + - (n B + n E - n A ) + ] + , 

where (a) follows from Lemma Q] because II B c and II B e are 
chosen independently and uniformly at random from II B , (b) 
is true because q is large, and (c) follows from Lemma Q] 
Note that because we have assumed n B = nc it follows that 
dim(C/ c ) = dim(J7 B ). 

Similarly, for the dimension of Ubc we can write 

dim(J7 B c) = dim(n B c) - dim(II B cE) 

= dim(n BC ) - [dim(n BC ) + n E - n A } + 
= min \n A — n E , (2n B — n- A ) + ] • 

Proposition 1. From the construction, the subspaces Ub, Uq, 
and Ubc ore orthogonal and similarly the same holds for Ub, 
Ubc, and Tl E . Also Uc, U B c, and Tl E are orthogonal w.h.p. 

Now we may write the linear program stated in Theorem |3] 
as follows 

maximize min [9b + Obc, 0c + #bc] — n A ) log q 

subject to 9 B < dim(£/ B + iI E ) — n E 
6c < dim([/ c + n E ) - n E 
Obc < dim(f/ BC + n E ) - n E 
6 B + 6c< dim(t/ B + Uc+ II E ) - n E 
B + 0c + 0bc < dim([/ B + U c + U B c + n E ) - n E . 



Because of the symmetry in the problem {ns = nc), for the 
optimal solution we should have 8b = 6c- Knowing this and 
using Proposition [TJ we may further simplify the above linear 
program as follows 

maximize [Ob + 6bc] [i — "■a) log q 
subject to 8b < h [dim(£/B + Uc + IIe) — tie] = ct\ 
Obc < dim(!7Bc) = ct2 

29b + 6bc < dim(f/ B + Uc + Ubc + U. E ) -n E = a 3 . 

From the definitions of ce's, we can easily observe that, > 
2ai, a3 > a2, and a-$ < 2ai + a.%. Hence, 8b + 8bc gets its 
maximum at the point (8b, 8bc) = ( a3 ~° 2 1 a 2 ). Thus, for the 
maximum achievable secrecy rate we have 



Rs 



a 2 + Q'3 



(£ - n A )log<7. 



As mentioned before, we assume that subspaces Uj's are 
chosen uniformly at random from II j. So IIe and Uj's are 
independent and for we can write 

«3 = min[dim((7B) + dim(L^c) + dim(t/Bc) + dim(IlE), ua] — tie 

— min[dim(C/B) + dim(f7c) + dim(£/ B c), n/\ — tie] 

— min[2 dim(t/B) + dim([/Bc), n/\ — tie]. 

So for the secrecy rate (achievable asymptotically when q goes 
to infinity) we have 



R s /(i - n A ) logq = 
Avcq(Ub) + dim(£/ B c), ^ ("-a + dim(f/Bc) 



TIE: 



(10) 



Example 1. As an example, here we compare the achievable 
secret key sharing rate among three legitimate terminals (i.e., 
m = 2) as derived in ilOi with the upper bound stated in 
Theorem [2] We consider two symmetric setup where for the 
first one we have n/\ = 60, ns = nc = 15 (see Fig. \2(a)\ 
and for the second one we have up, = 60, ns = nc = 45 (see 
Fig. \2(b)} . In each of these situations, we depict the upper and 
lower bounds on the secret key generation rate as a function 
of the number of packets (degrees of freedom) received by Eve. 
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